How have the recent trends in security threats changed the way MicroSolved conducts vulnerability assessments and risk management services for customers?
I think it has really given us an added focus at the top of the stack. We were always inclusive with an organization’s applications, but spent a larger amount of resources focused on the OS and network levels of the environment. Now, given the focus of attackers on the application layer, I think we had to swing some major resources back to really ensuring the security of the top of the OSI model. Organizations have to be vigilant across their environment. Attackers can and will identify and exploit vulnerabilities, no matter where in the environment they are found. They will assault the OS, the network AND the applications to gain access to their targets.

With your experience in application security, what specific issues do you consider most critical when conducting a software security audit?
Our team believes you have to focus on the data assets of the organization. At the end of the day, the data is where the value is, and it is the goal of most attackers. As such, we tend to focus on issues that could cause a loss of confidentiality, integrity or availability. Items like injections, improper use of cryptography, protocol errors, cross site scripting and of course, overflows. We find these to be the most critical to protecting the data of the client.

You purchased Ounce Labs’ technology after previously using another commercial source code analysis tool. What factors led to that decision?
Several factors contributed to the decision. The primary ones were the general stability of the Ounce product, the increased capability to identify real vulnerabilities and to produce less false positives and false negatives and the rich detail of the mitigation suggestions. It reduces the resources needed to perform the assessments, which saves our clients money and lets them secure more of their organization with their existing budgets. Given the scope of most environments today, this is a critical point for helping make commerce more secure on a global scale.

How can companies better integrate software security assessment results into their business decisions to make sure the process is valuable?
I think this is a vital question. I think it stems from the need for further reaching, deeper risk assessments in organizations worldwide. We simply have to help people identify where their assets are, and how they exist throughout their lifecycle. Once an organization knows that their key data, the very things that keep them in business, are being created and interacted with by various processes, I think it is a “no brainer” for them to understand that they have to secure that data. Most organizations simply don’t know where their data really exists, or understand how it is impacted by their environment. If they do, they will see software security as a very natural and necessary step. It has value because it protects that which is most vital to their existence.

Thanks for talking with me today. I greatly appreciate the opportunity to talk about application security. I truly believe that over the next five years we will see increasing security pressures on organizations by their customers and by attackers. Our team really believes that the majority of this visibility will be at the application level. That means that it is essential for us to begin the work of securing our applications today, and teaching better development practices to our programmers to ensure the security of our applications for tomorrow. Ounce is an incredible resource that allows my team to more effectively do both.

back to top